The 28th Chaos Communication Congress (28C3) is currently underway in Berlin and on Tuesday, researcher Karsten Nohl gave a presentation called: Defending mobile phones. If you have an hour, it's worth watching.

Initial press reports focused on Nohl's revelation that hackers can potentially sniff numerous phone IDs and network authentications from an advantageous point, and because network authentications aren't frequently refreshed (depending on the network operator), an attacker could make expensive premium rate calls and bill them to other persons. GSM network specifications allow for every network action to be re-authenticated, but that requires serious investment in authentication servers. So operators may only do it every third call. Or tenth. Or perhaps only when the phone connects to the network.

But one of the most interesting things, from our point of view, was Nohl's brief reference to recent reports (Dec. 13th) about various German police authorities having used nearly half a million "Silent SMS" to track suspects in 2010.

So we did a web search and found nothing about it in the English language press. However, Wikipedia's SMS entry has (had) this:

Silent messages, often called silent SMS, stealth SMS, or stealthy ping, will not show up on the display, neither is there an acoustical signal when they are received. However, at the mobile provider some data is created (for example, the subscriber identification IMSI). This kind of message is sent especially by the police to locate a person or to create a complete movement profile of a person. In Germany in the year 2010, nearly half a million "silent SMSs" were sent by the federal police, the customs, and the secret service "Office for Protection of the Constitution."

We followed the referenced link to this Heise Online article. The title translates as: Customs, Federal Police and Protection of the Constitution in 2010 sent more than 440,000 "silent SMS".

Hmm, Germany's Customs Enforcement. Those were the folks that used the R2D2 backdoor a.k.a. "0zapftis".

Using Google Translate and Google News, we were able to locate more German language articles using "stille SMS".

In the screenshot below, you can see the number of messages sent by three authorities since 2006.

So what exactly does this mean?

Well, basically, various German law enforcement agencies have been "pinging" mobile phones. Such pings only reply whether or not the targeted resource is online or not, just like an IP network ping from a computer would.

But then after making their pings, the agencies have been requesting network logs from mobile network operators. The logs don't reveal information from the mobile phones themselves, but they can be used to locate the cell towers through which the pings traveled. And thus, can be used to track the mobile targeted.

Requesting such network logs was a legal gray area until 2007, when Germany amended its telecommunications surveillance act.

And now we are left to wonder, just how many other countries consider this type of tracking to be a gray area?

It's almost the end of 2011. What with Christmas recently passed, and the New Year coming up, there's naturally a lot of well wishes and holiday greetings being messaged around. Looks like somebody's decided to join in (a little late) — and also do a bit of data harvesting at the same time.

Spyware:Android/AdBoo.A appears to be one of those programs that lets you send witty/sweet/funny messages to your contacts. On execution, it displays a list of text messages that fall into different categories: new year wishes, friendship, love and jokes:

When the user selects one of these messages, the app prompts a dialog box asking for the next action: Contact, Edit or Cancel:

If Contact is chosen, the app tries to read the stored contact data. Presumably, it needs to know to whom to send the message:

During our initial analysis, because the test phone didn't have any stored contacts, the app didn't retrieve anything at this point.

However, when AdBoo was retested with (bogus) contacts present, no text message was sent then either — AdBoo only produces a dialog box with the message "Sending fail":

We noticed that the app did do something else though. On selecting the Contacts options, it silently obtained the following information from the device:

There's a run of ZeuS (aka Zbot) trojans currently targeting several Finnish banks. And naturally, our Threat Research team has been working on related cases. Interestingly, they've discovered some new ZeuS functionality that hints of SpyEye.

This version of ZeuS 2.x (Zbot.AVRC) has two new commands it will accept: user_activate_imodule and user_restart_imodule.

SHA1: bf4fc1fb3bf98e1e783fb974f0b3ba622cd4b267

When it receives the command user_activate_imodule, Zbot.AVRC will start a thread that attempts to load a certain DLL from disk, and if the DLL does not exists, it will be downloaded from a remote server. The trojan then fetches the addresses for three different functions that are exported by the DLL: TakeBotGuid, Init, and Start. The DLL is then started by creating a thread that runs code from the DLL.

User_restart_imodule simply calls the function named "Start" from the loaded DLL.

It is interesting to see that the names of the functions used from the loaded DLL are the same as those being used by SpyEye trojan components. The names of commands related to this could also be interpreted to refer to SpyEye (imodule = eyemodule?).

He who has seen more than his fair share of ZeuS bots, sorry for him, will notice that two often seen commands are not present; namely the commands for stealing passwords stored to FTP (user_ftpclients_get) and e-mail clients (user_emailclients_get).

Another notable detail of this ZeuS run is the quality of the Finnish used.

Here's an example:

After a customer has started their banking session, they'll be prompted by this message:

"Suo anteeksi, teknillinen palvelu tietää virheestä ja korjaa sitä."

This basically translates to something such as: we're sorry, there's an error and we're working to fix it.

And while the grammar is really rather good, the tone is a bit… odd. Native Finnish speakers say that the sentence sounds something like "we beg your pardon, but there has been as error" et cetera. It's a little too polite for an error message.

We speculate the bank trojan gang outsourced their localization to professional translators, but didn't provide quite enough context.

Earlier this month, we did a post about a family of premium rate SMS Trojans, which we detected as Trojan:Android/FakeNotify.A. Now we've found that the trojan has been updated, with changes to make analysis and detection more troublesome.

The new version comes from the same developer, as can be seen from the signing certificate. There's no change in the trojan's overall behavior, but the coding approach has changed significantly enough to foil static analysis tools and such.

For example, while analyzing, I compared the SMS sending routine from both the original and the current versions, and observed a change from the earlier simpler coding approach to a more dynamic one.

In the original version of FakeNotify, the routine was implemented in a straightforward manner that makes it is very easy to "read" what it does:

FakeNotify.A

The new version however takes advantage of the Reflection/Dynamic Invocation feature in the Java language to accomplish the same purpose, while making it harder for analysts to "read" the code.

The developer even goes one step further by obfuscating the string arguments with their own encoding/decoding algorithm (though this is just a simple substitution-like cipher). You can see the encoded form below:

FakeNotify.B, SHA1: df866cf4312cf9c929a9a7dc384eebb19d2b2c2d

The change in coding approach could easily defeat most static analysis tools.

Side note: during analysis, I suddenly realized the similarity between Windows LoadLibrary and GetProcAddress combo API functions and some features of Java Reflection. When it comes to dynamic retrieval of other API function addresses (Windows) and classes or method object handles (Java), both will allow the developer to call or invoke a recently acquired method or function.

Anyway, let's go back to Android world. To ease analysis of the new FakeNotify version, I created a simple Python script to replace instances of obfuscated strings with the plaintext ones of all the decompiled Java sources of the malicious application.

After the patching, it became clearer that the SMS sending routine obtains the handle to the class SmsManager and its getDefault method/function, which subsequently needs to be invoked/called or properly initialized in order to use the SmsManager class's sendTextMessage function:

Granted, this is hardly the first time I've seen the Java Reflection feature being used by Android malware, and the string obfuscation is not complex. It is however a pretty clear example of how Android malware developers are continuously adapting and upgrading their techniques to keep their "products" fresh and undetected.

Fortunately, due to some uncaught exception in the code, the trojan (SHA1: 0d2d3317c6ca1a9812d357741f45af6bb360d89c) doesn't complete its malicious activities — it just crashes and terminates:

We've found over a hundred copies of the trojans, but the large number doesn't make it technically advanced — the copies basically use the same source code, but just re-shuffled into different configurations for the different packages.

The trojans were found on third-party Android markets and targets users in Russia, Belarus, Kazakhstan and Azerbaijan.

Even though these trojans crash and fail, we are still detecting them due to the malicious routines, and also because of large number of copies circulating.

Members of the Anonymous collective announced during Christmas that they had broken into stratfor.com.

STRATFOR is an organization that gathers open source intelligence for forecasting purposes. Their publications are sold via stratfor.com. As far as we can tell, Anonymous gained access to a subscriber list stored on stratfor.com, and that list contained unencrypted credit card data.

Anonymous has now published three lists of credit card details belonging to people who have subscribed to STRATFOR reports. The lists contained 3956, 13191 and 30726 card details, respectively. These card details belong to subscribers all over the world.

After the credit card leaks, various members of Anonymous have published screenshots where these credit cards have been used to make sizable donations to various charities. The charities have included Red Cross, CARE, Save The Children and the African Child Foundation.

At the first glance, actions like this look a bit like the actions of Robin Hood — steal from the rich, give to the poor.

But unfortunately, in this case the poor won't get a dime.

These anonymous donations will never reach the ones in need. And in fact, these actions will just end up hurting the charities, not helping them.

When credit card owners see unauthorized charges on their cards, they report them to their bank or credit card company. Credit card companies will do a chargeback to the charities, which will have to return the money. In some cases, charities could be hit with with penalties. At the very least, they will lose time and money in handling the chargebacks.

'Tis the season for giving. And anybody visiting Amnesty International's UK website could currently end up with the gift of a keylogger courtesy a Java exploit. Brian Krebs has written about it on his blog: Krebs on Security.

Amnesty's UK site was hacked to include an iframe linking to a Brazilian server, which hosts a CVE-2011-3544 based Java Exploit.

Our browsing protection is now blocking Amnesty's site. We've been blocking the .br site for several days already. We detect, and there's fairly good AV industry coverage on, both the Java exploit and the trojan it drops.

There seems to be a growing practice where malware authors boldly use similar package names and icons of popular apps for their malware, and then publish this malware on the official Android Market. Unsuspecting users might download this malware under the false pretense that they are getting the free/lite version of a legit app.

Similar to the practice employed by Logastrod and Miriada Production, Eldar Limited published its malware disguised as the free version of Cut the Rope and Assassin's Creed apps. The only problem is that, a simple search on the Android Market doesn't return any results for the free version of Cut the Rope. Perhaps, the free version simply doesn't exist for the Android platform but there is a free Cut the Rope Lite for iOS. This is where users might get confused and fall prey to this tactic.

Google's app police managed to detect this fraud and quickly removed it from the Android Market. While the apps are still listed on AppBrain and AndroidZoom, the links will direct users back to the official Android Market where they have already been removed.

A useful tip for users out there is to search for the paid version of the app and take note of the developer's name. If the name on both paid and free versions matches, then it is very likely to be a safe app. Otherwise, don't proceed with the download.

Do not confuse Java with JavaScript: it's hard to use the web without JavaScript. But JavaScript has nothing to do with Java.

The risks of Java are nicely illustrated by the recent Java Rhino vulnerability (aka CVE-2011-3544). If you're running Java, but not the latest version, you're vulnerable. So either you have to check at all times that you have the latest version of Java — or get rid of it altogether.

And the Java Rhino vulnerability is not theoretical: the most common exploit kits have incorporated this vulnerability in their default exploits, and it seems to be working very well for the online criminals.

Here's a sample screenshot from a Blackhole exploit kit control panel. In this picture we can see 16,144 computers which were taken over with the CVE-2011-3544 vulnerability.

So, ditch Java if you can. It might not be as painful as you think, as Larry Seltzer found out when he tried it.

Do you need Java for a specific web application? Such as an online bank or an intranet app? Leave Java on your system but remove the Java plugin from your daily browser. Then use another browser that you use only for this one service.

Also note that Chrome has been doing a good job in sandboxing or otherwise securing risky add-ons and extensions. Many Java exploits do not work against Chrome. Also, Chrome does not use an Adobe Reader plugin to render PDF files. This is good news, as Chrome is quickly becoming the most common browser on the planet.

F-Secure has a long history of protecting its customers, and as a result, we have some long established customer relationships. And some of our customers have been running our software for years and years. But, just like any other software vendor, we have to stop support for old legacy products at some point.

Thus, we need to remind our home and corporate customers that antivirus updates for F-Secure 8-series software will end on January 1st, 2012.

In practice, EOL means that products such as these will no longer receive antivirus updates:

There are other affected products as well. For a full list of affected consumer products, see here, and for a full list of affected corporate products, see here.

To reiterate: this doesn't just mean that these products are no longer supported (some of them have actually been out of support for quite a while). This means that the actual antivirus signature updates will no longer be published for these products. No new databases will be produced.

We're seeing a rather suspicious social spam run on both Facebook and Twitter today.

And apparently, it's been spreading for 5 days.

The social spam uses a bit.ly short link with various numerical parameters. And in an interesting move, the spam posts two links. (Perhaps this helps evade anti-spam filters?)

Depending on geo-IP and the link clicked, users are directed to chatpreview.me where they are offered "ChatSend", a browser toolbar plugin.

Windows and Mac: both are welcome.

Nearly one million people have clicked on the spam link. There's no telling how many folks installed the download. As you can see from the bit.ly statistics, a large percentage of clicks are from India and the Philippines.

Facebook has started rolling out its new Timeline profile and over the weekend, here in Finland, there were some reports that private messages are being posted to users' profiles.

We have seen no solid evidence of this. And given that Facebook's Finnish translation is far from perfect, the whole thing could just be a misunderstanding. Here's an example of one translation we read today… Timeline profiles now include a new type of story called "Life Events". In the "Health & Wellness" category, there's an option for "Got Contacts". In Finnish, the word used is for contact info, rather than contact lenses.

So we're still waiting to see just what type of "messages" are being posted.

It's patch Tuesday and Microsoft has just issued a patch for the zero-day vulnerability that was used by the Duqu malware discovered in October.

To quote the bulletin:

What does the update do?The update addresses the vulnerability by modifying the way that a Windows kernel mode driver handles TrueType font files.

When this security bulletin was issued, had this vulnerability been publicly disclosed?Yes. This vulnerability has been publicly disclosed. It is assigned Common Vulnerability and Exposure number CVE-2011-3402.

When this security bulletin was issued, had Microsoft received any reports the vulnerability was being exploited?Yes. Microsoft was aware of limited, targeted attacks attempting to exploit the vulnerability. However, when the security bulletin was released, Microsoft had not seen any examples of proof of concept code published.

The developer, named "Logastrod", offered supposed free versions of many popular applications. And while Google has shut down the official market account, sites such as AppBrain still list the downloads.

Based on AppBrain's numbers, Lagostrod's apps were downloaded numerous times.

But that isn't the end of the story, the trojans are still live.

Avast's Jindrich Kubec sent a tweet towards Mikko with the developer's current name of "Miriada Production".

Miriada Production's Android Market account is currently online:

There could be several such accounts in Android Market, turning Google's security efforts into a game of Whac-A-Mole.

If installed, the trojans will attempt to send a premium rate SMS using short codes.

Here's a screenshot from the fake World of Goo:

In the past, all of the premium rate SMS trojans that we've actively encountered have targeted Russia.

Well… it's in the fine print. Included within the app's installation agreement is language that says the "customer" will be subscribed to a premium service, and then the app, which is basically a wrapper, will then download the "free" game.

Trojans, backdoors, keyloggers and eavesdropping is used by online criminals. The same techniques are also used by governments. Some government do this to spy on their own people or to find dissidents. Other governments do this while investigating criminal suspects.

Most of the technology used in such intrusions are not developed by the governments themselves. They are made by private companies which are specializing in providing exploits, infection proxies and backdoors to governments.

Additionally, when the app is run, if the user clicks the button on the bottom of the screen, SMS messages are sent out to specified premium rate phone numbers — all numbers so far have used the Russia country country code, often specifically the Moscow area. The SMS messages all contain the following text string:

• hm78929201647+1188+51+0+1+b92be

The trojan also downloads a package named love_position_v1.5.0.apk from a remote site:(SHA1: 9cb4cc996fb165055e57e53ab5293c48567e9765)

In our testing, the sample failed to run on the phone to which it was downloaded due to a parsing error:

However, standalone analysis of the downloaded package on a separate, clean test phone showed that it has almost the same behavior as Trojan:Android/SMStado.A, though this one also starts a malicious service in the background on booting up:

Our second malware is Trojan:Android/FakeNotify.A.

It pretends to be an update notifier application. These are the permissions used by the app and how it looks when it is installed on the phone:

Note: Though both Stados.A and FakeNotify.A have the same name (установка), Google Translate says this just means "installation". We think this just indicates that a generic word was used to name these apps, rather than being indicative of a relationship between these malware variants.

Once installed and executed, it displays a message that asks the user’s permission to download an application, using the name of a popular mobile game to catch the user's interest:

After clicking the "next" button, FakeNotify immediately sends out three sets of SMS messages in the background. The messages are sent to premium-rate phone numbers in Russia, and contain a text string in the following format:

• [24 digit string].1/316623

The SMS details used came from the database file embedded from the application.

Meanwhile, the user will not see any application download. Instead, another screen will appear that can lead to a website that offers more apps that could potentially be malicious as well:

F-Secure's Community Manager, Ania, asked Mikko and I to take part in a Q&A week. And so, this week, from December 5th to the 9th, we'll be answering questions in our Community forums.

Disclaimer: December 6th is Finland's Independence Day… so, it's a day off. (Give us an extra day to reply.)

Please direct tech support questions to support threads. The Q&A is for security or research related topics, and there are lots of other guys and locations within Community to deal with support issues.

Though, some non-security related questions are okay.

Example question: what's it like living in Finland during the month of December?Sean's answer: it's like suffering a month of jet lag (because there's so little sunlight).